In ssh dump, we use random-seed to feed /dev/urandom. In later release of systemd[1], random-seed is moved from /var/lib/random-seed to /var/lib/systemd/random-seed. We need to adapt the change and also keep backward compatibility with older systemd.
[1]: http://cgit.freedesktop.org/systemd/systemd/commit/?id=ef5bfcf668e6029faa785...
Signed-off-by: WANG Chao chaowang@redhat.com --- dracut-kdump.sh | 7 ++++++- dracut-module-setup.sh | 3 ++- 2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/dracut-kdump.sh b/dracut-kdump.sh index 4d8616f..a7672e1 100755 --- a/dracut-kdump.sh +++ b/dracut-kdump.sh @@ -146,7 +146,12 @@ dump_ssh()
echo "kdump: saving to $_host:$_dir"
- cat /var/lib/random-seed > /dev/urandom + if [ -f /var/lib/random-seed ]; then + cat /var/lib/random-seed > /dev/urandom + elif [ -f /var/lib/systemd/random-seed ]; then + cat /var/lib/systemd/random-seed > /dev/urandom + fi + ssh -q $_opt $_host mkdir -p $_dir || return 1
save_vmcore_dmesg_ssh ${DMESG_COLLECTOR} ${_dir} "${_opt}" $_host diff --git a/dracut-module-setup.sh b/dracut-module-setup.sh index c013430..96009f8 100755 --- a/dracut-module-setup.sh +++ b/dracut-module-setup.sh @@ -398,7 +398,8 @@ install() { >"$initdir/lib/dracut/no-emergency-shell"
if is_ssh_dump_target; then - dracut_install /var/lib/random-seed || exit $? + dracut_install -o /var/lib/random-seed || exit $? + dracut_install -o /var/lib/systemd/random-seed || exit $? fi dracut_install -o /etc/adjtime /etc/localtime inst "$moddir/monitor_dd_progress" "/kdumpscripts/monitor_dd_progress"
On Mon, Dec 23, 2013 at 01:50:38PM +0800, WANG Chao wrote:
In ssh dump, we use random-seed to feed /dev/urandom. In later release of systemd[1], random-seed is moved from /var/lib/random-seed to /var/lib/systemd/random-seed. We need to adapt the change and also keep backward compatibility with older systemd.
Signed-off-by: WANG Chao chaowang@redhat.com
dracut-kdump.sh | 7 ++++++- dracut-module-setup.sh | 3 ++- 2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/dracut-kdump.sh b/dracut-kdump.sh index 4d8616f..a7672e1 100755 --- a/dracut-kdump.sh +++ b/dracut-kdump.sh @@ -146,7 +146,12 @@ dump_ssh()
echo "kdump: saving to $_host:$_dir"
- cat /var/lib/random-seed > /dev/urandom
if [ -f /var/lib/random-seed ]; then
cat /var/lib/random-seed > /dev/urandom
elif [ -f /var/lib/systemd/random-seed ]; then
cat /var/lib/systemd/random-seed > /dev/urandom
fi
ssh -q $_opt $_host mkdir -p $_dir || return 1
save_vmcore_dmesg_ssh ${DMESG_COLLECTOR} ${_dir} "${_opt}" $_host
diff --git a/dracut-module-setup.sh b/dracut-module-setup.sh index c013430..96009f8 100755 --- a/dracut-module-setup.sh +++ b/dracut-module-setup.sh @@ -398,7 +398,8 @@ install() { >"$initdir/lib/dracut/no-emergency-shell"
if is_ssh_dump_target; then
dracut_install /var/lib/random-seed || exit $?
dracut_install -o /var/lib/random-seed || exit $?
dracut_install -o /var/lib/systemd/random-seed || exit $?
below is better?
dracut_install /var/lib/random-seed || dracut_install -o /var/lib/systemd/random-seed || exit $?
fi dracut_install -o /etc/adjtime /etc/localtime inst "$moddir/monitor_dd_progress" "/kdumpscripts/monitor_dd_progress"
-- 1.8.4.2
kexec mailing list kexec@lists.fedoraproject.org https://lists.fedoraproject.org/mailman/listinfo/kexec
On 12/25/13 at 05:30pm, Dave Young wrote:
On Mon, Dec 23, 2013 at 01:50:38PM +0800, WANG Chao wrote:
In ssh dump, we use random-seed to feed /dev/urandom. In later release of systemd[1], random-seed is moved from /var/lib/random-seed to /var/lib/systemd/random-seed. We need to adapt the change and also keep backward compatibility with older systemd.
Signed-off-by: WANG Chao chaowang@redhat.com
dracut-kdump.sh | 7 ++++++- dracut-module-setup.sh | 3 ++- 2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/dracut-kdump.sh b/dracut-kdump.sh index 4d8616f..a7672e1 100755 --- a/dracut-kdump.sh +++ b/dracut-kdump.sh @@ -146,7 +146,12 @@ dump_ssh()
echo "kdump: saving to $_host:$_dir"
- cat /var/lib/random-seed > /dev/urandom
if [ -f /var/lib/random-seed ]; then
cat /var/lib/random-seed > /dev/urandom
elif [ -f /var/lib/systemd/random-seed ]; then
cat /var/lib/systemd/random-seed > /dev/urandom
fi
ssh -q $_opt $_host mkdir -p $_dir || return 1
save_vmcore_dmesg_ssh ${DMESG_COLLECTOR} ${_dir} "${_opt}" $_host
diff --git a/dracut-module-setup.sh b/dracut-module-setup.sh index c013430..96009f8 100755 --- a/dracut-module-setup.sh +++ b/dracut-module-setup.sh @@ -398,7 +398,8 @@ install() { >"$initdir/lib/dracut/no-emergency-shell"
if is_ssh_dump_target; then
dracut_install /var/lib/random-seed || exit $?
dracut_install -o /var/lib/random-seed || exit $?
dracut_install -o /var/lib/systemd/random-seed || exit $?
below is better?
dracut_install /var/lib/random-seed || dracut_install -o /var/lib/systemd/random-seed || exit $?
Using dracut_install will error out w/o -o option. I think random-seed is not essential for ssh dump, we can omit it safely. What do you think for below:
dracut_install -o /var/lib/random-seed dracut_install -o /var/lib/systemd/random-seed
Thanks WANG Chao
fi dracut_install -o /etc/adjtime /etc/localtime inst "$moddir/monitor_dd_progress" "/kdumpscripts/monitor_dd_progress"
-- 1.8.4.2
kexec mailing list kexec@lists.fedoraproject.org https://lists.fedoraproject.org/mailman/listinfo/kexec
On Wed, Dec 25, 2013 at 06:07:39PM +0800, WANG Chao wrote:
[..]
if is_ssh_dump_target; then
dracut_install /var/lib/random-seed || exit $?
dracut_install -o /var/lib/random-seed || exit $?
dracut_install -o /var/lib/systemd/random-seed || exit $?
below is better?
dracut_install /var/lib/random-seed || dracut_install -o /var/lib/systemd/random-seed || exit $?
Using dracut_install will error out w/o -o option. I think random-seed is not essential for ssh dump, we can omit it safely. What do you think for below:
dracut_install -o /var/lib/random-seed dracut_install -o /var/lib/systemd/random-seed
I am not sure if random seed is optional. I think things will still work but enough randomness might not be there and it might make for weaker crypto and might make it little less secure in kdump environemnt.
Before this change, we used dracut install without -o option. That means random seem was must. So why change behavior now.
How about using following.
if [ -f /var/lib/random-seed ] dracut_install /var/lib/random-seed || exit $? elif [ -f /var/lib/systemd/random-seed ] dracut_install /var/lib/random-seed || exit $? else error
Thanks Vivek
On 01/14/14 at 04:17pm, Vivek Goyal wrote:
On Wed, Dec 25, 2013 at 06:07:39PM +0800, WANG Chao wrote:
[..]
if is_ssh_dump_target; then
dracut_install /var/lib/random-seed || exit $?
dracut_install -o /var/lib/random-seed || exit $?
dracut_install -o /var/lib/systemd/random-seed || exit $?
below is better?
dracut_install /var/lib/random-seed || dracut_install -o /var/lib/systemd/random-seed || exit $?
Using dracut_install will error out w/o -o option. I think random-seed is not essential for ssh dump, we can omit it safely. What do you think for below:
dracut_install -o /var/lib/random-seed dracut_install -o /var/lib/systemd/random-seed
I am not sure if random seed is optional. I think things will still work but enough randomness might not be there and it might make for weaker crypto and might make it little less secure in kdump environemnt.
Yes, it's right. Without sufficient entropy, the random could be theoretically vulnerable. That makes kdump environment less secure like you said.
But kdump can't force user to maintain such random seed file /var/lib/systemd/random-seed or /var/lib/random-seed. For whatever reason, this seed file could be deleted or relocated some other place.
Given the fact that entropy may be not sufficient and we must feed /dev/urandom in 2nd kernel. What makes sense to me is that we generate our own seed when creating kdump initramfs and feed this one to /dev/urandom in 2nd kernel.
It's rather simple to implement it. [inspired from man:random(4)]
In module-setup.sh, save random seed:
dd if=/dev/urandom of=${initdir}/$RANDOM_SEED \ bs=`cat /proc/sys/kernel/random/poolsize` count=1
In kdump.sh, feed /dev/urandom with our preserved randome seed:
cat $RANDOM_SEED > /dev/urandom
So neither we have to fail when kdump can't find the system-wide random seed file nor we have worry about where the seed is located.
What do you think?
Before this change, we used dracut install without -o option. That means random seem was must. So why change behavior now.
Actually it's I didn't understand why random-seed is a must.
Thanks WANG Chao
How about using following.
if [ -f /var/lib/random-seed ] dracut_install /var/lib/random-seed || exit $? elif [ -f /var/lib/systemd/random-seed ] dracut_install /var/lib/random-seed || exit $? else error
Thanks Vivek
On Wed, Jan 15, 2014 at 03:39:14PM +0800, WANG Chao wrote:
[..]
I am not sure if random seed is optional. I think things will still work but enough randomness might not be there and it might make for weaker crypto and might make it little less secure in kdump environemnt.
Yes, it's right. Without sufficient entropy, the random could be theoretically vulnerable. That makes kdump environment less secure like you said.
But kdump can't force user to maintain such random seed file /var/lib/systemd/random-seed or /var/lib/random-seed. For whatever reason, this seed file could be deleted or relocated some other place.
Given the fact that entropy may be not sufficient and we must feed /dev/urandom in 2nd kernel. What makes sense to me is that we generate our own seed when creating kdump initramfs and feed this one to /dev/urandom in 2nd kernel.
It's rather simple to implement it. [inspired from man:random(4)]
In module-setup.sh, save random seed:
dd if=/dev/urandom of=${initdir}/$RANDOM_SEED \ bs=`cat /proc/sys/kernel/random/poolsize` count=1
In kdump.sh, feed /dev/urandom with our preserved randome seed:
cat $RANDOM_SEED > /dev/urandom
So neither we have to fail when kdump can't find the system-wide random seed file nor we have worry about where the seed is located.
In general I like the idea that we use /dev/urandom to save the seed if it is not available at standard places. So how about following.
if [ -f /var/lib/random-seed ] dracut_install /var/lib/random-seed elif [ -f /var/lib/systemd/random-seed ] dracut_install /var/lib/systemd/random-seed else /* Use /dev/urandom as random seed */ fi
Thanks Vivek
On 01/15/14 at 12:52pm, Vivek Goyal wrote:
On Wed, Jan 15, 2014 at 03:39:14PM +0800, WANG Chao wrote:
[..]
I am not sure if random seed is optional. I think things will still work but enough randomness might not be there and it might make for weaker crypto and might make it little less secure in kdump environemnt.
Yes, it's right. Without sufficient entropy, the random could be theoretically vulnerable. That makes kdump environment less secure like you said.
But kdump can't force user to maintain such random seed file /var/lib/systemd/random-seed or /var/lib/random-seed. For whatever reason, this seed file could be deleted or relocated some other place.
Given the fact that entropy may be not sufficient and we must feed /dev/urandom in 2nd kernel. What makes sense to me is that we generate our own seed when creating kdump initramfs and feed this one to /dev/urandom in 2nd kernel.
It's rather simple to implement it. [inspired from man:random(4)]
In module-setup.sh, save random seed:
dd if=/dev/urandom of=${initdir}/$RANDOM_SEED \ bs=`cat /proc/sys/kernel/random/poolsize` count=1
In kdump.sh, feed /dev/urandom with our preserved randome seed:
cat $RANDOM_SEED > /dev/urandom
So neither we have to fail when kdump can't find the system-wide random seed file nor we have worry about where the seed is located.
In general I like the idea that we use /dev/urandom to save the seed if it is not available at standard places. So how about following.
if [ -f /var/lib/random-seed ] dracut_install /var/lib/random-seed elif [ -f /var/lib/systemd/random-seed ] dracut_install /var/lib/systemd/random-seed else /* Use /dev/urandom as random seed */ fi
It's too complicated code block and if the seed file changes again, we have to address it for another time. The code block will grow larger and larger.
A seed file doesn't have to be the standard one. As far as I know, /var/lib/systemd/random-seed works in a quite simple way:
1. When system is booting, systemd-random-seed.service starts and do the following job:
a) Restore the entropy pool from the last boot by:
cat /var/lib/systemd/random-seed > /dev/urandom
b) Save the entropy pool for the next boot by (in case a sudden shutdwon):
dd if=/dev/urandom of=${initdir}/$RANDOM_SEED \ bs=`cat /proc/sys/kernel/random/poolsize` count=1
2. When system is shutting down, s-r-s.service stops and do the following job:
a) Save the entropy pool for the next boot:
dd if=/dev/urandom of=${initdir}/$RANDOM_SEED \ bs=`cat /proc/sys/kernel/random/poolsize` count=1
So based on how /var/lib/systemd/random-seed works, I think it's nothing wrong if we use a random seed created by ourselves. It could be less vulnerable (more secure) using a different random seed rather than presevering /var/lib/systemd/random-seed for 2nd kernel.
That's why I'd like to stick to the idea to create our own seed and not use the systemd's one.
Thanks WANG Chao
On Thu, Jan 16, 2014 at 11:35:57AM +0800, WANG Chao wrote:
On 01/15/14 at 12:52pm, Vivek Goyal wrote:
On Wed, Jan 15, 2014 at 03:39:14PM +0800, WANG Chao wrote:
[..]
I am not sure if random seed is optional. I think things will still work but enough randomness might not be there and it might make for weaker crypto and might make it little less secure in kdump environemnt.
Yes, it's right. Without sufficient entropy, the random could be theoretically vulnerable. That makes kdump environment less secure like you said.
But kdump can't force user to maintain such random seed file /var/lib/systemd/random-seed or /var/lib/random-seed. For whatever reason, this seed file could be deleted or relocated some other place.
Given the fact that entropy may be not sufficient and we must feed /dev/urandom in 2nd kernel. What makes sense to me is that we generate our own seed when creating kdump initramfs and feed this one to /dev/urandom in 2nd kernel.
It's rather simple to implement it. [inspired from man:random(4)]
In module-setup.sh, save random seed:
dd if=/dev/urandom of=${initdir}/$RANDOM_SEED \ bs=`cat /proc/sys/kernel/random/poolsize` count=1
In kdump.sh, feed /dev/urandom with our preserved randome seed:
cat $RANDOM_SEED > /dev/urandom
So neither we have to fail when kdump can't find the system-wide random seed file nor we have worry about where the seed is located.
In general I like the idea that we use /dev/urandom to save the seed if it is not available at standard places. So how about following.
if [ -f /var/lib/random-seed ] dracut_install /var/lib/random-seed elif [ -f /var/lib/systemd/random-seed ] dracut_install /var/lib/systemd/random-seed else /* Use /dev/urandom as random seed */ fi
It's too complicated code block and if the seed file changes again, we have to address it for another time. The code block will grow larger and larger.
A seed file doesn't have to be the standard one. As far as I know, /var/lib/systemd/random-seed works in a quite simple way:
- When system is booting, systemd-random-seed.service starts and do the following job:
a) Restore the entropy pool from the last boot by:
cat /var/lib/systemd/random-seed > /dev/urandom
b) Save the entropy pool for the next boot by (in case a sudden shutdwon):
dd if=/dev/urandom of=${initdir}/$RANDOM_SEED \ bs=`cat /proc/sys/kernel/random/poolsize` count=1
- When system is shutting down, s-r-s.service stops and do the following job:
a) Save the entropy pool for the next boot:
dd if=/dev/urandom of=${initdir}/$RANDOM_SEED \ bs=`cat /proc/sys/kernel/random/poolsize` count=1
So based on how /var/lib/systemd/random-seed works, I think it's nothing wrong if we use a random seed created by ourselves. It could be less vulnerable (more secure) using a different random seed rather than presevering /var/lib/systemd/random-seed for 2nd kernel.
That's why I'd like to stick to the idea to create our own seed and not use the systemd's one.
There is a problem with kdump saving the seed. And that is kdump is started at the beginning of boot and you are assuming that by then systemd has restored the entropy pool from previously saved random seed.
That's the reason I wanted to use last stored random seed instead of relying on the fact that /dev/urandom has been initialized with right random seed.
Thanks Vivek
On 01/16/14 at 09:31am, Vivek Goyal wrote:
On Thu, Jan 16, 2014 at 11:35:57AM +0800, WANG Chao wrote:
On 01/15/14 at 12:52pm, Vivek Goyal wrote:
On Wed, Jan 15, 2014 at 03:39:14PM +0800, WANG Chao wrote:
[..]
I am not sure if random seed is optional. I think things will still work but enough randomness might not be there and it might make for weaker crypto and might make it little less secure in kdump environemnt.
Yes, it's right. Without sufficient entropy, the random could be theoretically vulnerable. That makes kdump environment less secure like you said.
But kdump can't force user to maintain such random seed file /var/lib/systemd/random-seed or /var/lib/random-seed. For whatever reason, this seed file could be deleted or relocated some other place.
Given the fact that entropy may be not sufficient and we must feed /dev/urandom in 2nd kernel. What makes sense to me is that we generate our own seed when creating kdump initramfs and feed this one to /dev/urandom in 2nd kernel.
It's rather simple to implement it. [inspired from man:random(4)]
In module-setup.sh, save random seed:
dd if=/dev/urandom of=${initdir}/$RANDOM_SEED \ bs=`cat /proc/sys/kernel/random/poolsize` count=1
In kdump.sh, feed /dev/urandom with our preserved randome seed:
cat $RANDOM_SEED > /dev/urandom
So neither we have to fail when kdump can't find the system-wide random seed file nor we have worry about where the seed is located.
In general I like the idea that we use /dev/urandom to save the seed if it is not available at standard places. So how about following.
if [ -f /var/lib/random-seed ] dracut_install /var/lib/random-seed elif [ -f /var/lib/systemd/random-seed ] dracut_install /var/lib/systemd/random-seed else /* Use /dev/urandom as random seed */ fi
It's too complicated code block and if the seed file changes again, we have to address it for another time. The code block will grow larger and larger.
A seed file doesn't have to be the standard one. As far as I know, /var/lib/systemd/random-seed works in a quite simple way:
- When system is booting, systemd-random-seed.service starts and do the following job:
a) Restore the entropy pool from the last boot by:
cat /var/lib/systemd/random-seed > /dev/urandom
b) Save the entropy pool for the next boot by (in case a sudden shutdwon):
dd if=/dev/urandom of=${initdir}/$RANDOM_SEED \ bs=`cat /proc/sys/kernel/random/poolsize` count=1
- When system is shutting down, s-r-s.service stops and do the following job:
a) Save the entropy pool for the next boot:
dd if=/dev/urandom of=${initdir}/$RANDOM_SEED \ bs=`cat /proc/sys/kernel/random/poolsize` count=1
So based on how /var/lib/systemd/random-seed works, I think it's nothing wrong if we use a random seed created by ourselves. It could be less vulnerable (more secure) using a different random seed rather than presevering /var/lib/systemd/random-seed for 2nd kernel.
That's why I'd like to stick to the idea to create our own seed and not use the systemd's one.
There is a problem with kdump saving the seed. And that is kdump is started at the beginning of boot and you are assuming that by then systemd has restored the entropy pool from previously saved random seed.
I looked into the systemd services dependencies[1], I found that kdump would always run after systemd-random-seed. That said, when kdump is starting, /dev/urandom is already feed. And actually systemd-random-seed service is started very early, same level with systemd-udevd, systemd-journald etc. and systemd-random-seed is only depending on the / mount.
[1]: I got this data by running `systemctl list-dependencies kdump`
That's the reason I wanted to use last stored random seed instead of relying on the fact that /dev/urandom has been initialized with right random seed.
Except it is a fact...
Thanks WANG Chao
On Fri, Jan 17, 2014 at 04:34:29PM +0800, WANG Chao wrote:
[..]
There is a problem with kdump saving the seed. And that is kdump is started at the beginning of boot and you are assuming that by then systemd has restored the entropy pool from previously saved random seed.
I looked into the systemd services dependencies[1], I found that kdump would always run after systemd-random-seed. That said, when kdump is starting, /dev/urandom is already feed. And actually systemd-random-seed service is started very early, same level with systemd-udevd, systemd-journald etc. and systemd-random-seed is only depending on the / mount.
[1]: I got this data by running `systemctl list-dependencies kdump`
I was trying to avoid making assumptions on the system service start order. It works this way today what if order changes tomorrow. This assumption is kind of subtle that kdump depends on /dev/urandom being fed by the time service starts.
So I prefer that you first look for random-seed file so that we don't assume service order dependencies. But if you don't like this, it is ok. I am not too particular about it and can live with saving /dev/urandom.
Thanks Vivek
On 01/17/14 at 11:23am, Vivek Goyal wrote:
On Fri, Jan 17, 2014 at 04:34:29PM +0800, WANG Chao wrote:
[..]
There is a problem with kdump saving the seed. And that is kdump is started at the beginning of boot and you are assuming that by then systemd has restored the entropy pool from previously saved random seed.
I looked into the systemd services dependencies[1], I found that kdump would always run after systemd-random-seed. That said, when kdump is starting, /dev/urandom is already feed. And actually systemd-random-seed service is started very early, same level with systemd-udevd, systemd-journald etc. and systemd-random-seed is only depending on the / mount.
[1]: I got this data by running `systemctl list-dependencies kdump`
I was trying to avoid making assumptions on the system service start order. It works this way today what if order changes tomorrow. This assumption is kind of subtle that kdump depends on /dev/urandom being fed by the time service starts.
Actually I'm quite confident that this kind of order will not change. Given the fact that /dev/urandom will be used by all kinds of programs during system start-up, I think /dev/uramdom have to be fed at very early stage (way early than kdump service start time). This is fundamental.
As for the random-seed file used for restore/save urandom across boots, I think this is the one that we want to avoid cause it could probably change its location in the future like this time.
So I prefer that you first look for random-seed file so that we don't assume service order dependencies. But if you don't like this, it is ok. I am not too particular about it and can live with saving /dev/urandom.
I'm just trying to stand up for my point. If you have better idea that makes sense to me, trust me, I'm willing to change to it.
So how about the following pacth?
-- >8 --
From f257d34a7156e24dbbe35706a55a449e7c56f2d0 Mon Sep 17 00:00:00 2001
From: WANG Chao chaowang@redhat.com Date: Mon, 23 Dec 2013 13:40:19 +0800 Subject: [PATCH] ssh dump: create random-seed manually
In ssh dump, we use random-seed to feed /dev/urandom. Since the systemd random-seed file could its place, it's better we create our own random-seed.
The discussion is listed below for future reference: https://lists.fedoraproject.org/pipermail/kexec/2014-January/000340.html
Signed-off-by: WANG Chao chaowang@redhat.com --- dracut-module-setup.sh | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/dracut-module-setup.sh b/dracut-module-setup.sh index c013430..93e3490 100755 --- a/dracut-module-setup.sh +++ b/dracut-module-setup.sh @@ -392,13 +392,25 @@ kdump_check_iscsi_targets () { } }
+# Install a random seed used to feed /dev/urandom +kdump_install_random_seed() { + local poolsize=`cat /proc/sys/kernel/random/poolsize` + + if [ ! -d ${initdir}/var/lib/ ]; then + mkdir -p ${initdir}/var/lib/ + fi + + dd if=/dev/urandom of=${initdir}/var/lib/random-seed \ + bs=$poolsize count=1 2> /dev/null +} +
install() { kdump_install_conf >"$initdir/lib/dracut/no-emergency-shell"
if is_ssh_dump_target; then - dracut_install /var/lib/random-seed || exit $? + kdump_install_random_seed fi dracut_install -o /etc/adjtime /etc/localtime inst "$moddir/monitor_dd_progress" "/kdumpscripts/monitor_dd_progress"
On Mon, Jan 20, 2014 at 02:45:25PM +0800, WANG Chao wrote:
On 01/17/14 at 11:23am, Vivek Goyal wrote:
On Fri, Jan 17, 2014 at 04:34:29PM +0800, WANG Chao wrote:
[..]
There is a problem with kdump saving the seed. And that is kdump is started at the beginning of boot and you are assuming that by then systemd has restored the entropy pool from previously saved random seed.
I looked into the systemd services dependencies[1], I found that kdump would always run after systemd-random-seed. That said, when kdump is starting, /dev/urandom is already feed. And actually systemd-random-seed service is started very early, same level with systemd-udevd, systemd-journald etc. and systemd-random-seed is only depending on the / mount.
[1]: I got this data by running `systemctl list-dependencies kdump`
I was trying to avoid making assumptions on the system service start order. It works this way today what if order changes tomorrow. This assumption is kind of subtle that kdump depends on /dev/urandom being fed by the time service starts.
Actually I'm quite confident that this kind of order will not change. Given the fact that /dev/urandom will be used by all kinds of programs during system start-up, I think /dev/uramdom have to be fed at very early stage (way early than kdump service start time). This is fundamental.
As for the random-seed file used for restore/save urandom across boots, I think this is the one that we want to avoid cause it could probably change its location in the future like this time.
So I prefer that you first look for random-seed file so that we don't assume service order dependencies. But if you don't like this, it is ok. I am not too particular about it and can live with saving /dev/urandom.
I'm just trying to stand up for my point. If you have better idea that makes sense to me, trust me, I'm willing to change to it.
So how about the following pacth?
-- >8 --
From f257d34a7156e24dbbe35706a55a449e7c56f2d0 Mon Sep 17 00:00:00 2001
From: WANG Chao chaowang@redhat.com Date: Mon, 23 Dec 2013 13:40:19 +0800 Subject: [PATCH] ssh dump: create random-seed manually
In ssh dump, we use random-seed to feed /dev/urandom. Since the systemd random-seed file could its place, it's better we create our own
^^ s/"could its place"/could change location
random-seed.
The discussion is listed below for future reference: https://lists.fedoraproject.org/pipermail/kexec/2014-January/000340.html
Signed-off-by: WANG Chao chaowang@redhat.com
Ok, I am fine with this patch. Please put a comment above kdump_install_random_seed() function saying that we are assuming that systemd already has fed /dev/urandom with random-see.
Thanks Vivek
dracut-module-setup.sh | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/dracut-module-setup.sh b/dracut-module-setup.sh index c013430..93e3490 100755 --- a/dracut-module-setup.sh +++ b/dracut-module-setup.sh @@ -392,13 +392,25 @@ kdump_check_iscsi_targets () { } }
+# Install a random seed used to feed /dev/urandom +kdump_install_random_seed() {
- local poolsize=`cat /proc/sys/kernel/random/poolsize`
- if [ ! -d ${initdir}/var/lib/ ]; then
mkdir -p ${initdir}/var/lib/
- fi
- dd if=/dev/urandom of=${initdir}/var/lib/random-seed \
bs=$poolsize count=1 2> /dev/null
+}
install() { kdump_install_conf >"$initdir/lib/dracut/no-emergency-shell"
if is_ssh_dump_target; then
dracut_install /var/lib/random-seed || exit $?
fi dracut_install -o /etc/adjtime /etc/localtime inst "$moddir/monitor_dd_progress" "/kdumpscripts/monitor_dd_progress"kdump_install_random_seed
-- 1.8.4.2
On 12/23/13 at 01:50pm, WANG Chao wrote:
In ssh dump, we use random-seed to feed /dev/urandom. In later release of systemd[1], random-seed is moved from /var/lib/random-seed to /var/lib/systemd/random-seed. We need to adapt the change and also keep backward compatibility with older systemd.
Hi, Vivek
Could you review this patch? This one is for Fedora only.
Thanks WANG Chao
Signed-off-by: WANG Chao chaowang@redhat.com
dracut-kdump.sh | 7 ++++++- dracut-module-setup.sh | 3 ++- 2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/dracut-kdump.sh b/dracut-kdump.sh index 4d8616f..a7672e1 100755 --- a/dracut-kdump.sh +++ b/dracut-kdump.sh @@ -146,7 +146,12 @@ dump_ssh()
echo "kdump: saving to $_host:$_dir"
- cat /var/lib/random-seed > /dev/urandom
if [ -f /var/lib/random-seed ]; then
cat /var/lib/random-seed > /dev/urandom
elif [ -f /var/lib/systemd/random-seed ]; then
cat /var/lib/systemd/random-seed > /dev/urandom
fi
ssh -q $_opt $_host mkdir -p $_dir || return 1
save_vmcore_dmesg_ssh ${DMESG_COLLECTOR} ${_dir} "${_opt}" $_host
diff --git a/dracut-module-setup.sh b/dracut-module-setup.sh index c013430..96009f8 100755 --- a/dracut-module-setup.sh +++ b/dracut-module-setup.sh @@ -398,7 +398,8 @@ install() { >"$initdir/lib/dracut/no-emergency-shell"
if is_ssh_dump_target; then
dracut_install /var/lib/random-seed || exit $?
dracut_install -o /var/lib/random-seed || exit $?
fi dracut_install -o /etc/adjtime /etc/localtime inst "$moddir/monitor_dd_progress" "/kdumpscripts/monitor_dd_progress"dracut_install -o /var/lib/systemd/random-seed || exit $?
-- 1.8.4.2
kexec mailing list kexec@lists.fedoraproject.org https://lists.fedoraproject.org/mailman/listinfo/kexec